Im trying to make a log in form in PHP and Im stuck in the part where it matches the value filled by the user aginst the data stored in the database(MySql). Im not sure where Im making error as Im new to PHP so please help .

if($num > 0)
{
$sql = "SELECT agent FROM agents WHERE agent='$_POST[agent1]'
AND street='$_POST[street1]'";
$result2 = mysql_query($sql) or die("Query died: fpassword");
$num2 = mysqli_num_rows($result2);
//print $num2;
}
if($num2 > 0) //password matches
{
echo "match it is !!";
}
?>
Explanation: I want my form to match the data entered by the user in "agent1 and street1" field against the data already stored in the database and if it matches then show me the next page.

Thanks.

08-01-2014, 09:06 AM

ginerjm

1 - post your code properly next time. Read the forum rules first.

2 - Do NOT use the @operator. Where did you learn this? Especially on a query call which you really MUST check for success before proceeding. Why would one ever want to suppress an error report of a failed operation? Makes no sense. That's like saying "don't tell me if I'm wrong - I'm going to do it anyway."

3 - When you read up on these functions in the PHP manual (link at top of forum site) did you not see the highlighted box telling you NOT to use the MYSQL_* functions? Use mysqlI or PDO for your db access.

Now looking at your code:
You do a query of an entire table 'agents'. Great. But why? You then check if you have any results at all and then you proceed to do a query against the same table again, this time only looking for a specific agent value. Great - that's more like it except one should never use unsanitized data as in input argument in a query. You need to use prepared queries (not avail btw in MySQL_* extension) to be safe. You then check the number of rows returned using an entirely different extension's function (mysqli). Why switch horses in mid-script? And lastly - if you did not find a row that matches your input values you blame it on a bad password. Why do you say that since a password has not been mentioned in your script at all?

PS - your syntax is wrong on your post references. A PROPER (IMHO) reference to an array (which $_POST is) looks like: $_POST['index']. The index of an associative array should be in quotes unless it is a variable or a constant name.

08-01-2014, 02:57 PM

KalobTaulien

Hey there,

As mentioned above by ginerjm there are some poor techniques used, but that's not the issue at hand.

// If there is an error in the query, this will kill your script and tell you what the error is so you can fix it immediately.$sql = mysqli_query($con, "SELECT agent FROM agents WHERE agent='$agent' AND street='$street'") or die(mysqli_error($con));